differential-review
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and analyze untrusted external content such as PR comments and code logic. It lacks boundary markers or instructions to ignore embedded commands. Since the agent has access to 'Bash' and 'Write' tools, an attacker could craft a PR that hijacks the agent to perform unauthorized actions. Ingestion points: methodology.md (Phase 0 and 1) reads PR and commit data. Boundary markers: Absent. Capability inventory: Bash, Write, Read, Grep, Glob. Sanitization: Absent.
- Command Execution (HIGH): The workflow uses 'Bash' to run 'git' and 'gh' commands with unvalidated placeholders like '<baseline_commit>' and ''. If these are derived from untrusted metadata, such as a malicious branch name, it could lead to arbitrary command execution.
- External Dependencies (LOW): The skill requires external components including the GitHub CLI and other skills like 'audit-context-building'. While common in development environments, they are unverified external dependencies.
Recommendations
- AI detected serious security threats
Audit Metadata